November 7, 2016
On October 27, 2016, the Federal Communications Commission ("FCC" or "Commission") voted to adopt sweeping new regulations to govern the ways in which providers of broadband Internet access service ("BIAS") can use and share their customers’ proprietary information. The rules, adopted by the Commission in a 3-2 split vote, were first proposed in March 2016, and represent the most significant update to Section 222 of the Communications Act in nearly a decade.
There are three key components to the new rules. First, broadband providers must provide consumers with clear notice of their data collection and use policies. Second, broadband providers must allow consumers to opt out of having "non-sensitive" information used by the providers, or shared by the providers with third parties. Broadband providers must also obtain affirmative opt-in consent before they can use or share "sensitive" customer data, which is defined to include information such as location, health records, and the contents of electronic messages. Third, broadband providers must abide by more stringent and specific requirements for notification of any data breaches. Each of these new regulations will impose considerable new burdens and costs on broadband providers, as further described below.
The FCC’s new regulations are designed to provide broadband providers and consumers with additional information about providers’ privacy requirements under Section 222 of the Communications Act. Section 222 was passed in 1996 to establish statutory privacy protections for the data that telecommunications carriers collect from their consumers. The FCC’s Open Internet Order, adopted on February 26, 2015, reclassified broadband as a telecommunications service that falls within Title II of the Act. The FCC’s reclassification of broadband was challenged in the D.C. Circuit; petitions for reconsideration of the panel opinion upholding reclassification are currently pending in the D.C. Circuit.
The FCC’s BIAS privacy regulations represent a new chapter in the patchwork of privacy regulations to which broadband providers are already subject. They apply in addition to existing privacy frameworks such as the Federal Trade Commission’s and the Administration’s proposed Consumer Privacy Bill of Rights. They also apply in addition to various state privacy laws, as well as state data security and data breach laws, which the Commission views as only preempted to the extent that the state laws are inconsistent with the FCC’s new regulations. The new rules are scheduled to take effect by early 2018.
The new regulations also subject broadband providers to broad-reaching "consent" requirements. Specifically, providers must obtain express "opt-in" consent before they may use "sensitive" individually-identifiable consumer information, and before sharing that information with third parties. Sensitive information is defined broadly, to include precise geo-location; children’s information; health information; financial information; Social Security numbers; web browsing history; mobile application(s) usage history; and the contents of any communications.
In addition, broadband providers must provide consumers with an opportunity to "opt out" of consenting to the use and sharing of their non-sensitive information. Non-sensitive information includes all remaining personally-identifiable information, such as service tier information, that could be used for targeted advertising or other commercial purposes.
The exceptions to the consent requirements are limited. Customer consent is inferred only where non-sensitive information is used and shared for marketing telecommunications-related services, billing and collecting for the broadband provider’s services, and preventing fraudulent use of the provider’s network. In addition, broadband providers may use anonymized customer data, as long as the provider undertakes significant measures to ensure that the data cannot subsequently be re-identified.
In addition, the FCC’s new rules prohibit broadband providers from refusing to serve customers who do not consent to the use and sharing of their information for commercial purposes. The rules also require heightened disclosure for so-called "pay for privacy," and the Commission has indicated that it will determine on a "case-by-case basis" the legitimacy of financial incentive programs that relate service price to a customer’s privacy choices.
In addition to the notice and consent requirements, the new regulations mandate that all broadband providers take "reasonable measures" to protect consumer data, commensurate with the size of the provider, the sensitivity of the data, and the technical feasibility of managing risks.
Rather than providing a check-list of required security measures, the Commission has provided the following guidelines: broadband providers should implement industry best practices to manage security risks, provide accountability and oversight of its security practices, employ robust customer identification practices, and properly dispose of customer data. These guidelines are to be implemented at each broadband provider’s discretion. Although this provides a degree of flexibility for each provider, it is also likely to lead to inconsistencies within the industry.
The Commission has also adopted strict requirements for the notification protocol that a broadband provider must follow in the event of a data breach. These requirements are triggered as soon as a provider determines that there has been an unauthorized disclosure of personal customer information, "unless the provider reasonably determines that no harm is reasonably likely to occur." If the provider determines that any harm to consumers is reasonably likely to occur, it must comply with the notification requirements, even if the breached data is encrypted.
In the event of a breach, providers must notify affected consumers as soon as possible, but no later than 30 days after the reasonable determination of a breach. Providers must provide notice to current customers in writing to the customer’s address of record or email address, or by another means of electronic communication that the customer has approved for data breach notifications. Former customers must be notified in writing to the customer’s last known postal address.
If the breach affects fewer than 5,000 consumers, broadband providers must notify the Commission at the same time that they notify consumer. If the breach affects more than 5,000 consumers, however, broadband providers must notify the Commission, FBI, and Secret Service no later than seven business days after the reasonable determination of a breach, and at least three days before notifying customers.
Significantly, these data breach notification requirements apply not only to the broadband service providers, but also to their vendors and contractors. Broadband providers and the other telecommunications carriers that must adhere to these heightened requirements will likely incur significant costs to comply with the new regulations, particularly with the exacting new requirement that any breach affecting more than 5,000 consumers be reported to the Commission and law enforcement agencies within seven business days.
In adopting the new rules, the Commission also indicated its disapproval of the use of mandatory arbitration agreements in consumer contracts for communication services. In his remarks regarding the Commission’s adoption of the new rules, Chairman Tom Wheeler announced that the Commission intends to proceed with a rulemaking in February 2017 to address the use of mandatory arbitration agreements in consumer contracts. That rulemaking is likely to undermine the viability of arbitration as a means of dispute resolution throughout the industry, and lead to more class action litigation by consumers.
The industry-wide implications of the Commission’s new rules are substantial. The rules are likely to cause confusion for broadband providers and other players in the Internet eco-system given the often-overlapping jurisdiction of the Commission and the FTC, as well as state regulations of related issues including data breach reporting. Recognizing the possibility of such confusion, Commissioner Jessica Rosenworcel proposed the establishment of a "21st century inter-agency privacy council" to address inevitable duplication and inconsistencies.
In addition, the new rules do not apply to edge providers, which the FCC defines as any "individual or entity that provides any content, application, or service over the Internet," or that provides a device used to access content, applications, or services over the Internet. As a result, edge providers–including, for example, many social media services–are not constrained under these regulations in their collection or use of consumer information. Moreover, the rules present many practical challenges that broadband providers should consult closely with counsel to address, including whether it is necessary or sufficient to obtain opt-in or opt-out consent for each instance of data use, or whether a blanket consent (included, for example, in a user agreement) will suffice.
 The FCC released its Report and Order on November 2, 2016. See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report & Order ("Commission Order"), FCC Dkt. No. 16-148 (Nov. 2, 2016), available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1103/FCC-16-148A1.pdf.
 Id. ¶ 166. Providers must also obtain affirmative opt-in consent before making any material retroactive changes to the use of any personally-identifiable information, including sensitive and non-sensitive information. Id. ¶ 195.
 Edge providers may be subject to other federal and state laws and regulations governing their collection and use of consumer information, as well as to limitations in consumer agreements with their users. See Dissenting Statement of Commissioner Ajit Pai, dated Oct. 27, 2016.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or Administrative Law and Regulatory practice groups, or the authors:
Alexander H. Southwell – New York (+1 212-351-3981, firstname.lastname@example.org)
Mylan L. Denerstein – New York (+1 212-351-3850, email@example.com)
Helgi C. Walker – Washington, D.C. (+1 202-887-3599, firstname.lastname@example.org)
Chantale Fiebig – Washington, D.C. (+1 202-955-8244, email@example.com)
Please also feel free to contact the following practice group members and leaders:
Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – Chair, New York (+1 212-351-3981, firstname.lastname@example.org)
M. Sean Royall – Dallas (+1 214-698-3256, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Shaalu Mehra – Palo Alto (+1 650-849-5282, firstname.lastname@example.org)
Karl G. Nelson – Dallas (+1 214-698-3203, email@example.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650–849–5393, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
Richard H. Cunningham – Denver (+1 303-298-5752, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Administrative Law and Regulatory Group:
Eugene Scalia – Co-Chair, Washington, D.C. (+1 202-955-8206, email@example.com)
Helgi C. Walker – Co-Chair, Washington, D.C. (+1 202-887-3599, firstname.lastname@example.org)
© 2016 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.